Configuring the Windows Server 2. Terminal Services Gateway (Part 1)If you would like to read the next part in this article series please go to Configuring the Windows Server 2. Terminal Services Gateway (Part 2)Microsoft security administrators have always been a bit wary of publishing Terminal Servers to the Internet. And for good reason – there was no ability to pre- authenticate connections or use policy to determine which users could access which Terminal Servers. The lack of pre- authentication was an especially difficult problem. Without pre- authentication, anonymous users could leverage their anonymous connections to compromise the published Terminal Server. A compromised Terminal Server is perhaps the most dangerous exploit possible against your network, as the attacker has access to a full operating system to launch his attacks. Windows Server 2. Terminal Services Gateway. Using a Terminal Services Gateway, you can pre- authenticate users and control what Terminal Servers users can access based on credentials and policy. This gives you the fine grained control you need to insure that you have a secure remote access RDP solution. In this two part series on how to put together a working Terminal Services Gateway solution, we will use the lab network you see in the figure below. SUPERSEDED - Hotfix Rollup Pack 1 for Citrix XenApp 6.5 for Microsoft Windows Server 2008 R2. · Remote Desktop disconnected or can’t connect to remote computer or Remote Desktop server (Terminal Server) that is running Windows Server 2003. A collection of solutions that enables you to set up and pre-configure new and existing Windows 10 devices, without needing a Windows image. Reduce the attack surface. The arrows show the flow of communications from the external RDP client to the Terminal Server. Figure 1. Each of the servers in this scenario are running Windows Server 2. Enterprise Edition. In this example network, I am using the Windows Server 2. NAT server as my Internet gateway. You could use any other simple NAT device or packet filtering router, like a PIX, or even an advanced firewall like the Microsoft ISA Firewall. The key configuration option here is that you forward TCP port 4. Terminal Service Gateway computer. The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS installed. The Terminal Server has only the base operating system installed. We will install other services during the course of this article series. The TS Gateway has only the base operating system installed. We will install other services during the course of this article series. In this article series I will describe the following processes and procedures that you need to perform to get the basic solution running: Install Terminal Services and Terminal Services Licensing on the Terminal Server. Configure Terminal Services Licensing. Install Desktop Experience on the Terminal Server (optional). Configure the Terminal Services Licensing Mode. Install the Terminal Services Gateway Service on the Terminal Services Gateway. Request a Certificate for the Terminal Services Gateway. Configure Terminal Services Gateway to Use the Certificate. Create a Terminal Services Gateway RAP. Create a Terminal Services Gateway CAP. Configure the RDP Client to use the Terminal Services Gateway. Install Terminal Services and Terminal Services Licensing on the Terminal Server. The first step is to install Terminal Services on the Terminal Services computer. Perform the following steps to install Terminal Services and Terminal Services Licensing: On the Terminal Server computer, open the Server Manager. In the Server Manager, click on the Roles node in the left pane of the console. Click the Add. Roles link in the right pane of the console. Figure 2. Click Next on the Before You Begin page. On the Select Server Roles page, put a checkmark in the Terminal Services checkbox. Click Next. Figure 3. Click Next on the Terminal Services page. On the Select Role Services page, put a checkmark in the Terminal Server and TS Licensing checkboxes. Click Next. Figure 4. Click Next on the Uninstall and Reinstall Application for Compatibility page. On the Specify Authentication Method for Terminal Server page, select the Require Network Level Authentication. We can select this option in our current scenario because we are using only Vista SP1 clients to connect to the Terminal Server through the TS Gateway. We would not be able to use this option if we needed to support Windows XP SP2 clients. However, you should be able to support Network Level Authentication with Windows XP SP3. However, I have not yet confirmed this, so make sure to check the release notes on Windows XP SP3 when it is released later this year. Click Next. Figure 5. On the Specify Licensing Mode page, select the Configure later option. We could select an option now, but I decided that we should select Configure later so that I can show you where in the Terminal Services console you configure the licensing mode. Click Next. Figure 6. On the Select Use Groups Allowed Access To This Terminal Server page, use the default options. You can add or remove groups if you want finer tuned access control over the Terminal Server. However, if all of your users will be going through the Terminal Services Gateway, then you can control who can connect to the Terminal Server using the TS Gateway policy settings. Leave the default settings as they are and click Next. Figure 7. On the Configure Discovery Scope for TS Licensing page, select the This domain option. We select this option in this scenario because we only have a single domain. If you have a multi- domain forest, you might consider selecting the The forest option. Click Next. Figure 8. On the Confirm Installation Selections page, check the warning information indicating that you might have to reinstall applications that were already installed on this machine if you want them to work properly in a Terminal Services session environment. Also note that IE Enhanced Security Configuration will be turned off. Click Install. Figure 9. On the Installation Results page, you will see a warning that you must restart the server to complete the installation. Click Close. Figure 1. Click Yes in the Add Roles Wizard dialog box that asks if you want to restart the server. Log on as Administrator. The installation will continue for a few minutes as the Installation Progress page appears after the Server Manager comes up. Click Close on the Installation Results page after you see the Installation succeeded message. Figure 1. 1You may see a balloon telling you that Terminal Services licensing mode is not configured. You can dismiss that warning, as we will next configure Terminal Services Licensing and then configure the licensing mode on the Terminal Server. Figure 1. 2Configure Terminal Services Licensing. At the point we are ready to configure Terminal Services Licensing. In this example I will use some dummy data, which does not meet the actual requirements for licensing Terminal Services client connections, but it will provide an example of how the process works. Please do not use the same procedure that I show here to license your Terminal Services clients, because you will not be compliant with actual licensing requirements. Perform the following steps to activate your Terminal Services Licensing Server: From the Administrative Tools menu, click the Terminal Services menu and then click on TS Licensing Manager. In the TS Licensing Manager console, right click the server name in the left pane of the console. Click on Activate Server. Figure 1. 3Click Next on the Welcome to the Activate Server Wizard page. On the Connection Method page, select the Automatic Connection (recommended) option. Click Next. Figure 1. On the Company Information page, enter your company information and click Next. Figure 1. 5Enter optional information if you like on the Company Information page. Click Next. Figure 1. On the Completing the Activate Server Wizard page, make sure that the Start Install Licenses Wizard now option is checked. Click Next. Figure 1. Click Next on the Welcome to the Install Licenses Wizard page. On the License Program page, click the down arrow on the License program list and pick the license program that you participate in. In this example I will select Other agreement since this lab is not participating in any license program. Click Next. Figure 1. Remote Desktop Services - Wikipedia. Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2. Microsoft Windows that allows a user to take control of a remote computer or virtual machine over a network connection. RDS is Microsoft's implementation of thin client, where Windows software, and the entire desktop of the computer running RDS, are made accessible to a remote client machine that supports Remote Desktop Protocol (RDP). With RDS, only software user interfaces are transferred to the client system. All input from the client system is transmitted to the server, where software execution takes place.[2] This is in contrast to application streaming systems, like Microsoft App- V, in which computer programs are streamed to the client on- demand and executed on the client machine. Remote. FX was added to RDS as part of Windows Server 2. R2 Service Pack 1. Overview[edit]RDS was first released as "Terminal Server" in "Windows NT Server 4. Terminal Server Edition" a stand- alone operating system including SP3 and fixes built in. Starting with Windows 2. Windows NT family of operating systems[3] and was improved with each version of Windows.[4] The rename to "Remote Desktop Services" occurred with Windows Server 2. R2[5] in 2. 00. 9. Windows includes three client components that use RDS: Windows Remote Assistance. Remote Desktop Connection (RDC)Fast User Switching. The first two are individual utilities that allow a user to take control of a remote computer over the network. In case of Remote Assistance, the remote user needs to receive an invitation and the control is cooperative. In case of RDC, however, the remote user opens a new session on the remote computer and has every power granted by its user account's rights and restrictions.[2][6][7] Fast User Switching allows users to switch between user accounts on the local computer without quitting software and logging out. Fast User Switching is part of Winlogon and uses RDS to accomplish its switching feature.[8][9] Third- party developers have also created client software for RDS. For example, rdesktop supports Unix platforms. Although RDS is shipped with most editions of all versions of Windows NT since Windows 2. Windows XP Home Edition does not accept any RDC connections at all, reserving RDS for Fast User Switching and Remote Assistance only. Other client versions of Windows only allow a maximum of one remote user to connect to the system at the cost of the user who has logged onto the console being disconnected. Windows Server allows two users to connect at the same time. This licensing scheme, called "Remote Desktop for Administration", facilitates administration of unattended or headless computers. Only by acquiring additional licenses (in addition to that of Windows) can a computer running Windows Server service multiple remote users at one time and achieve virtual desktop infrastructure.[5][8]For an organization, RDS allows the IT department to install applications on a central server instead of multiple computers.[1. Remote users can log on and use those applications over the network. Such centralization can make maintenance and troubleshooting easier. RDS and Windows authentication systems prevent unauthorized users from accessing apps or data. Microsoft has a long- standing agreement with Citrix to facilitate sharing of technologies and patentlicensing between Microsoft Terminal Services and Citrix Xen. App (formerly Citrix Meta. Frame and Citrix Presentation Server). In this arrangement, Citrix has access to key source code for the Windows platform, enabling its developers to improve the security and performance of the Terminal Services platform. In late December, 2. Windows Vista.[1. Architecture[edit]The server component of RDS is Terminal Server (termdd. TCP port 3. 38. 9. When a Remote Desktop Protocol (RDP) client connects to this port, it is tagged with a unique Session. ID and associated with a freshly spawned console session (Session 0, keyboard, mouse and character mode UI only). The login subsystem (winlogon. GDI graphics subsystem is then initiated, which handles the job of authenticating the user and presenting the GUI. These executables are loaded in a new session, rather than the console session. When creating the new session, the graphics and keyboard/mouse device drivers are replaced with RDP- specific drivers: Rdp. DD. sys and Rdp. WD. The Rdp. DD. sys is the device driver and it captures the UI rendering calls into a format that is transmittable over RDP. Rdp. WD. sys acts as keyboard and mouse driver; it receives keyboard and mouse input over the TCP connection and presents them as keyboard or mouse inputs. It also allows creation of virtual channels, which allow other devices, such as disc, audio, printers, and COM ports to be redirected, i. The channels connect to the client over the TCP connection; as the channels are accessed for data, the client is informed of the request, which is then transferred over the TCP connection to the application. This entire procedure is done by the terminal server and the client, with the RDP mediating the correct transfer, and is entirely transparent to the applications.[1. RDP communications are encrypted using 1. RC4 encryption. Windows Server 2. FIPS 1. 40 compliant encryption schemes.[2]Once a client initiates a connection and is informed of a successful invocation of the terminal services stack at the server, it loads up the device as well as the keyboard/mouse drivers. The UI data received over RDP is decoded and rendered as UI, whereas the keyboard and mouse inputs to the Window hosting the UI is intercepted by the drivers, and transmitted over RDP to the server. It also creates the other virtual channels and sets up the redirection. RDP communication can be encrypted; using either low, medium or high encryption. With low encryption, user input (outgoing data) is encrypted using a weak (4. RC4) cipher. With medium encryption, UI packets (incoming data) are encrypted using this weak cipher as well. The setting "High encryption (Non- export)" uses 1. RC4 encryption and "High encryption (Export)" uses 4. RC4 encryption.[1. Terminal Server[edit]Terminal Server is the server component of Terminal services. It handles the job of authenticating clients, as well as making the applications available remotely. It is also entrusted with the job of restricting the clients according to the level of access they have. The Terminal Server respects the configured software restriction policies, so as to restrict the availability of certain software to only a certain group of users. The remote session information is stored in specialized directories, called Session Directory which is stored at the server. Session directories are used to store state information about a session, and can be used to resume interrupted sessions. The terminal server also has to manage these directories. Terminal Servers can be used in a cluster as well.[2]In Windows Server 2. While logging in, if the user logged on to the local system using a Windows Server Domain account, the credentials from the same sign- on can be used to authenticate the remote session. However, this requires Windows Server 2. OS, while the client OS is limited to Windows Server 2. Windows Vista and Windows 7. In addition, the terminal server may be configured to allow connection to individual programs, rather than the entire desktop, by means of a feature named Remote. App. Terminal Services Web Access (TS Web Access) makes a Remote. App session invocable from the web browser. It includes the TS Web Access Web Part control which maintains the list of Remote. Apps deployed on the server and keeps the list up to date. Terminal Server can also integrate with Windows System Resource Manager to throttle resource usage of remote applications.[4]Terminal Server is managed by the Terminal Server Manager. Microsoft Management Console snap- in. It can be used to configure the sign in requirements, as well as to enforce a single instance of remote session.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2017
Categories |